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SUMMARY 

This article describes how to create a Microsoft Installer Package (MSI) for installing third-party programs. If you want 
to Install a third-party program by using this method, you must install a copy of Veritas Software Console by Seagate 
Software at a location that is accessible by the reference computer. This program is available on the Windows 2000 
CD-ROM in Valueadd\3rdparty\Mgmt\Wlnstle\Swiadmle.msi. This includes a copy of WinlNSTALL limited edition, which 
allows for basic functionality. 

Definitions 
Instruction File 

An instruction file (Microsoft Installer package) contains information about what needs to be done to install a product. 
Clean PC 

A clean PC is defined as a computer with only the following items on it before you run Discover: 

• The operating system 

• The service packs for the operating system 

If you install Veritas Software Console (or any other product) on the computer, it is by definition no longer a clean PC. 
You must install Veritas Software Console somewhere, but not on the clean PC. 

Reference Computer 

A clean PC ensures that the Discover program will pick up all files and registry entries necessary for the program to 
run. 

The reference computer should have access to the Discover program (Discoz.exe) in the Winstall folder from My 
Network Places, Windows Explorer, or the Run command on the Start menu. Do not map a drive to the Winstall 
share. Doing so may cause Discover to pick up the added drive, possibly causing problems in your Microsoft Installer 
packages. 

Discover 

The Discover program is the program you use to create the Instruction file (Microsoft Installer package) that contains 
information about what needs to be done to install a product. 

How to Create a Third-Party MSI Package 

For this process to work properly, you should start with a clean PC. 

1. Start with a clean PC, or one that is representative of the computers in your network. 

2. Start Discover to take a picture of the representative PC's software configuration. This Is the Before snapshot. 

3. Install a program on the PC on which you took the Before snapshot. 

4. Reboot the PC. 

5. Run the new program to verify that it works. 

6. Quit the program. 

7. Start Discover and take an After snapshot of the PC's new configuration. Discover compares the Before and 
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the After snapshots and notes the changes. It creates a Microsoft Installer package with information about 
how to install that program on such a PC in the future. 

8. (Optional) Use Veritas Software Console to customize the (Microsoft Installer package. 

9. Clean the reference computer to prepare to run Discover again. 

10. (Optional) Perform a test installation of the program on non-production workstations. 

To obtain support for Veritas Software Console, please contact Veritas. 



REFERENCES 

For more detailed step-by-step instructions, visit the following Web site: 

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/winstall.mspx (http://www.microsoft.co 
m/technet/prodtechnol/windows2000serv/howto/winstall.mspx) 

This link is contained In the following document that describes the basic technology and compares competing 
products: 

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusabillty/inmnwp.mspx (http:// 
www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusability/lnnrinwp.nrispx) 

For a detailed description of the technology, consult the "Microsoft Windows 2000 Server Deployment Planning Guide," 
which is one of the volumes included with the Microsoft Windows 2000 Server Resource Kit. 

For detailed information, consult the Microsoft Software Development Kit (SDK) at the following site: 

http://msdn.microsoft.com/downloads/ (http://msdn.microsoft.com/downloads/) 
For technical information about third-party products using MSI technology, see the following Web site: 

http://www.installsite.orq/ {http://www.installsite.org/) 

Microsoft provides third-party contact information to help you find technical support. This contact information may 
change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. 

The third-party products that are discussed in this article are manufactured by companies that are independent of 
Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these 
products. 
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Windows Installer technology was introduced in the Windows 2000 
platform to take some of the pain out of deploying and managing 
Windows applications across an enterprise. In previous versions of 
Windows (NT/9x), developers usually created installation packages using 
a variety of proprietary tools developed by third-party vendors such as 
InstallShield Software and Wise Solutions. To bring some kind of 
consistence to this situation, Microsoft included Windows Installer as a 
core service (msiexec.exe) within Windows 2000 to install, repair, and 
remove software based on instructions contained in .MSI files. 
These .MSI files are basically database files that contain all the 
information an application needs in order to install a packaged 
application. Then once you package your application you can deploy it 
using Group Policy by one of two methods: 

• Assigning an application. You can assign a .MSI package to 
either a computer or a user. If you assign it to a computer, the 
packaged application installs the next time the computer reboots. If 
you assign it to a user, the application typically installs when the 
user tries to run it from the Start menu or tries to open a file that 
has a file extension associated with the application. 

• Publishing an application. You can publish a .MSI package to 
users only. This provides the user with an option within Add or 
Remove Programs in Control Panel that lets them manually install 
the application if they want to. 

Once Microsoft included Windows Installer technology in Windows 
2000, they also made it their policy to include .MSI installation packages 
in all applications they developed for Windows. What they didn't include 
at the time was a tool of their own for repackaging traditional Setup- 
based applications into .MSI packages. Instead, Microsoft decided to 
include a "light" version of WinlNSTALL called WinlNSTALL LE 
(WinlNSTALL Limited Edition) in the Valueadd folder on the Windows 
2000 product CD. Administrators could then use WinlNSTALL LE to 
repackage legacy applications into .MSI packages that could then be 
deployed using Group Policy. Microsoft apparently also decided to leave 
it to third-party vendors to develop fiall-featured .MSI packaging tools to 
meet the needs of customers who needed to deploy third-party and 
custom applications across their enterprise. 

As a result of this decision, the marketplace has a number of 
competing .MSI packaging tools and .MSI authoring environments 
available at present, and the remainder of this article looks at three 
popular packaging tools that are available. Some of these tools are free 
while others are commercial products with varied pricing and licensing 
requirements, check out their websites for details. Using any of these 
tools can make your life easier as an administrator of a large, Windows- 
based network, since they save you the time of having to visit desktops to 
install the applications that make your business work. 

Advanced Installer 
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The free version of Advanced Installer from Aphyon is powerful and 
easy to use, but if you want to get into advanced packaging tricks like 
setting attributes, installing ,NET assemblies, installing ODBC drivers 
and so on, then you'll need to opt for the more powerful Professional 
version instead. Aphyon also provides optional features through add-ons 
that can be purchased extra. One cool feature of Advanced Installer is 
that it stores its Windows Installer project files in XML format. This 
simplifies versioning of packages you're developing and lets you keep 
track of packages using a version control system. Another feature of 
Advanced Installer is that you can perform most actions from the 
command line. This allows you to automate application packaging using 
scripts, something that can be usefiil if you have a large enterprise with 
many applications to deploy. The current version of Advanced Installer is 
version 2.3 and you can download it here for Windows 2000/XP 
platforms. 



WinlNSTALL MSI Packager 

WinlNSTALL MSI Packager from Software OnDemand is a tool from 
the same evolutionary line that produced WinlNSTALL LE discussed 
previously. Because of this heritage, WinlNSTALL MSI Packager is a 
popular .MSI packaging tool today in many enterprise environments. Not 
only can the tool be used to easily package applications for deployment, 
it also lets you test them against standards like the Microsoft Logo 
Certification. This ensures your packaged applications will install 
properly on the latest Windows operating systems. The current version of 
WinlNSTALL MSI Packager is version 8.6 and you can download an 
evaluation version of this software here . Software OnDemand also has 
two other tools you may want to look at: the upscale WinlNSTALL 8.6 
fiiU product that lets you not only deploy applications but also manage 
them, and WinlNSTALL LE 2003 which is the latest incarnation of the 
free "light" version that was included on the Windows 2000 product CD. 



Wise for Windows Installer 



Wise for Windows Installer from Wise Solutions Inc. is another 
application packaging tool that is popular in some enterprise 
environments. This tool ftiUy complies with Microsoft's .MSI standards 
while also extending the capabilities of .MSI packages without making 
changes to their native format. The result is a powerful tool that can be 
used to deploy legacy, Web-based, and .NET appHcations quickly and 
easily. Enterprises that make heavy use of Microsoft SQL Server for 
back-end databases and Internet Information Services (IIS) 5.0 or 6.0 for 
front-end Web applications should take a close look at this product. If all 

you want to do is package applications into .MSI format, this tool is so 

easy and intuitive to use you hardly need a manual. Wise for Windows 
Installer comes in several editions including Standard, Professional, and Site 
Enterprise editions to meet your deployment needs according to your Search Search 
budget. Wise for Windows Installer is also part of a larger family of Wise 
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Solutions products that includes Wise Package Studio and Wise 
Installation System 9.0 . 

Additional Resources 

Finally, there are a number of other resources you may want to look at 
when you consider which packaging solution to choose for deploying 
applications across your enterprise. These resources include the 
following: 

Articles about Windows Installer and .MSI packaging in the Knowledge 
Base on Microsoft TechNet. Some key articles include: 

• 310598 Overview of the Windows Installer Technology 

• 816102 HOW TO: Use Group Policy to Remotely Install Software 
in Windows Server 2003 

• 257718 HOW TO: Create Third-Pai1v Microsoft Installer Package 
(MSI) 

Articles on myITforum.com , a popular site run by Windows management 
technologies guru Rod Trent. Here you'll find an active community of IT 
professionals who regularly contribute articles on topics like Microsoft 
Systems Management Server (SMS), Microsoft Operations Manager 
(MOM), patch management, MSI packaging, Wise Solutions products, 
and more. There are also some active forums where you can post 
questions and have top experts in the field provide you with answers. 

The Microsoft Windows Desktop Deployment Resource Kit from 
Microsoft Press. I reviewed this book by Jerry Honeycutt previously on 
WindowsNetworking.com and it includes a terrific chapter on Software 
Installation (chapter 23) that provides an overview of Windows Installer 
technologies, package creation, working with transforms, elevating 
installation privileges, third-party distribution products, automating 
legacy installers, and more. I highly recommend this book as a must-have 
for administrators who deploy Windows operating systems and 
applications within enterprise environments, it's well-written and easy to 
read while also being comprehensive in depth. 
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Microsoft Encyclopedia of Networking (Microsoft Press), the Microsoft 
Encyclopedia of Security (Microsoft Press), Windows Server Hacks 
(O'Reilly), Windows Server 2003 in a Nutshell (O'Reilly), Windows 
2000 Administration in a Nutshell (O'Reilly), and IIS 6 Administration 
(Osbome/McGraw-Hill). Mitch is based in Winnipeg, Canada, and you 
can find more information about his books at his website www.mtit.com 

Click here for Mitch TuUoch's section. 
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About Windows Installer 

To install your applications efficiently and reduce the total cost of ownership (TCO) for your customers, you can use 
the Windows® Installer. This section covers the major functional areas of the installer: 

• Overview of Windows Installer 

• Administrative Installation 

• Rollback Installation 

• Maintenance Installation 

• Windows Installer File Extensions 

• Command Line Options 

• S ystem Reboots 

• S ystem Policy 

• Source Resiliency 

• Windows File Protection on Windows 2000 and Windows XP 

• Windows File Protection on Windows Millennium Edition 

• S ystem Restor e Points a nd t he W in dows I nstaller 

• File V e rsioning R ules 

• Product Code s 

• Package Codes 

• Merges and Transforms 

• Q ualif ied Comp onents 

• W i ndo ws Install er Log ging 

• Companion F ile s 

• Isolated Components 

• Per-machine Installations 

• Per-user Installations 

See Also 

Released Versions , Tools, and Redistributables 
Send comments about this topic 
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Merges and Transforms 

The Windows® Installer keeps all information about the installation in a relational database. You can modify this 
database, and therefore the installation, by using transforms and merges. 

Transforms 

A database transform adds or replaces elements in the original database. For example, a transform can change all of 
the text in an application's user interface from French to English. 

Primary uses for transforms include: 

• Customization of base installation packages for particular groups of users. 

Transforms can be used to encapsulate the various customizations of a single base package that are required by 
different groups of users. For example, this is useful in organizations where the finance and staff support 
departments require different installations of a particular product. A product's base package can be available to 
everyone at one administrative Installation point with appropriate customizations distributed to each group of 
users separately. 

• Synchronization of applications across languages. 

Transforms are useful for keeping packages authored at widely separated locations synchronized during 
authoring. For example, if an upgrade is first developed for an English version of an application that exists in 
English and French, a transform can be applied to the upgraded English version that converts it into an upgraded 
French version. 

Multiple transforms can be applied to a base package and then applied on-the-fly during installation. This 
extends the capabilities of the installer to create custom packages and provides a mechanism for efficiently 
assigning the most appropriate installations to different groups of users, 

• Patching applications. 

Transforms can be used to apply a minor fix to an application that does not warrant a major upgrade. For more 
information about patches, see P at ch Pa ck ages. 

Merges 

A merge combines two databases into one database, and adds, rather than replaces, information. If the same 
information exists in both databases, a merge conflict occurs. Merges are useful to development teams because they 
allow a large application to be divided into parts that can be recombined later. For example, the database elements 
for the installation of a new component can be developed separately and later merged into the main installation 
database. For more information, see Mer ge M od u les. 

A development team might apply a merge operation in the following way: 

1. Separate into groups and work simultaneously on different components of a large application. 

2. Each development group then populates a database with installation information for its own component, 
without being concerned with the other components of the application. 

3. After the development of a component is complete, that component's database can be merged into the main 
installation database for the entire application. 

Send comments about this to pic 
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Merge Modules 

Merge modules provide a standard method by which developers deliver shared Windows® Installer components and 
setup logic to their applications. Merge modules are used to deliver shared code, files, resources, registry entries, 
and setup logic to applications as a single compound file. Developers authoring new merge modules or using 
existing merge modules should follow the standard outlined in this section. 

A merge module is similar in structure to a simplified Windows Installer .mat file . However, a merge module cannot 
be installed alone, it must be merged into an installation package using a merge tool. Developers wanting to use 
merge modules must obtain one of the freely distributed merge tools, such as Mergemod.dll, or purchase a merge 
tool from an independent software vendor. Developers can create new merge modules by using many of the same 
software tools used to create a Windows Installer installation package, such as the database table editor Orca 
provided with the Windows Installer SDK. 

When a merge module is merged into the .msi file of an application, all the information and resources required to 
install the components delivered by the merge module are incorporated into the application's .msi file. The merge 
module is then no longer required to install these components and the merge module does not need to be accessible 
to a user. Because all the information needed to install the components is delivered as a single file, the use of merge 
modules can eliminate many instances of version confiicts, missing registry entries, and improperly installed files. 

For more information about merge modules, see: 

• About Mer g e Modules 

• Using Merge Modules 

• Mer g e Module Reference 
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Merge Module Database Tables 

The following tables are required in a standard merge module. 



Table name 

Component 
Directory 

FeatureComponents 
File 

Mo d ul eSignatu re 
ModuleComponents 



Comment 

(REQUIRED) 
(REQUIRED) 
(REQUIRED) 
(REQUIRED) 

(REQUIRED) Merged into the installer database. Lists the information 
identifying a merge module. 

(REQUIRED) Merged into the installer database. Lists all the components in 
the merge module. 



The following tables only occur in merge modules or other installer databases that have already been combined with 
a merge module. 



Table name 



Comment 



ModulePe pendency Merged into the installer database. Lists other merge modules required by 
this merge module. 



Mo duleE x c l u s io n 



Merged into the installer database. Lists other merge modules that are 
incompatible with this merge module. 



The following ModuleSequence tables only occur in merge modules. 



Table name 

ModuleAdminUISequen ce 

ModuteAd mi nE x ecute Se quenc e 

ModuleAdvtUISeque nce 

ModuleAdvtExecuteSequence 

ModuielqnoreTable 

ModulelnstallUISeq uence 

ModulelnstallExecuteSequence 



Comment 

Merges actions into the AdminUISequence table . 

Merges actions into the AdminExecuteS eq uence table . 

Do not use this table. For details, see AdvtUISequence table . 

Merges actions into the AdvtExecuteSeq uence table. 

Lists tables in the module that are not merged into the .msi file. 

Merges actions into the InstaliUISeauence table . 

Merges actions into the InstaflExecuteSeauence table . 



The following tables are required in every configurable merge module. Mergemod.dll version 2.0 or later is required 
to create configurable merge module. For details, see Configurable Mero e Modules. 



Table name 

ModuleSubstitution 
Table 



Comment 

(REQUIRED) This table is not merged into the target installation 
database. Specifies the configurable fields in the target database and 
provides a template for the configuration of each field. 
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ModuleConfiguration 
Table 



(REQUIRED) This table is not merged into the target installation 
database. Identifies the configurable attributes of the module. 



The following installer tables cannot occur in a standard merge module. 

BBControl 

Billboard 

CCPSearch 

Error 

Feature 

LaunchCondition table 

Media 

Patch 

Upgrade 

The following installer tables are optional in merge modules. 
ActionText 

AdminExecuteSeauence 

AdminUISeauence 

AdvtExecuteSeauence 

AdvtUISequence 

Appid 

AppSearch 

Bindlmaqe 

CheckBox 

Class 

ComboBox 

CompLocator 

Control 

ControiCondition 

CreateFolder 

CustomAction 

Dialog 

Dr Locator 

DupiicateFile 

Environment 

EventMapping 

Extension 

Font 

Icon 

IniFile 

In i Locator 

InstallExecuteSequence 

InstallUISequence 

LIstBox 

ListView 

MIME 

MoveFile 

ODBCAttribute 

ODBCDataSource 

ODBCDriver 

ODBCSourceAttribute 

ODBCTranslator 

ProqID Table 
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Property 

PublishComponent 

RadioButton 

Registry Table 

Reg Locator 

RemoveFile 

RemovelniFile 

RemoveRegistry 

ReserveCost 

SelfReq 

Sen/iceControl 

Servicelnstall 

Shortcut 

Signature 

TextStvIe 

TypeLib 

UIText 

Verb 
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The following table identifies the properties for the sunnmary information stream of the merge module. For more 
information, see Summary Information Stream . 



Property 



Last Saved 
By 



Revision 
Number 



Last Printed 

Create 
Time / Pate 

Last Saved 
Time/ Pate 



IP 



PID_LASTAUTHOR 

PID_REVNUMBER 

PID_LASTPRIIMTED 
PID_CREATE DIM 



PIP Type 



Codepaqe 


PID_ 


_CODEPAGE 


1 


VT_ 


12 


Title 


PID_ 


.TITLE 


2 


VT_ 


_LPSTR 


Subject 


PID_ 


.SUBJECT 


3 


VT_ 


.LPSTR 


Author 


PID_ 


.AUTHOR 


4 


VT_ 


_LPSTR 


Keywords 


PID_ 


.KEYWORDS 


5 


VT_ 


_LPSTR 


Comments 


PID_ 


.COMMENTS 


6 


VT_ 


_LPSTR 


Template 


PID, 


.TEMPLATE 


7 


VT_ 


.LPSTR 



VT_LPSTR 



VT_LPSTR 



11 VT_FILETIME 

12 VT.FILETIME 



PID_LASTSAVE_DTM 13 VT_FILETIME 



Pescription 

Identifies the code page used to 
display the summary information. 

"merge module". 

ProductName property. 

Manufacturer property. 

MergeModule, MSI, database. 

Describes the merge module and 
its components. 

Platform and language versions 
supported by database. Required 
in every merge module. For more 
information, see Template for 
the syntax. 

A module that contains 64-bit 
components must have Intel64 or 
x64 set. For information, see 
Using 64- bit Me rge Modules . 

Lists the numeric language 
identifiers for all languages 
supported by the module. The 
first language in the list is the 
default language of the module. 
Specifying more than one 
language results in a 
multilanguage merge. 

Specifies the platform and 
language of the patched database 
using the same syntax as the 
Template Summary property. 

The unique GUID for this merge 
module. Required in every merge 
module. 

Null. 

The time and date when the 
installer database was created. 

Initially null. Each time a user 
changes an installation database 
the value is updated to the 
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Page Count PID_PAGECOUNT 14 \/T_I4 



Word Count PID_WORDCOUNT 15 VT 14 



Character PID_CHARCOUNT 16 VT_I4 
Count 

Creating PID_APPNAME 18 VT_LPSTR 
Appiication 



current system time/date at the 
time the merge database was 
saved. 

Minimum required installer 
version. Stored as an integer in 
the form: Major * 100 + minor. 
Required in every merge module. 

Enter 0 (zero) for this property. 
Note that in a merge module, 
files are always inside an 
embedded cabinet file regardless 
of the value of this property. 
Required in every merge module. 

Null. 



Application used to create the 
installer database. Typically, the 
value is the name of the software 
used to author this merge 
module. 



Security PID_SECURITY 



19 VT_I4 



"2". 
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Windows Installer 3.0 

Posted September 24, 2004 

Chat Date: September 23, 2004 

Please note: Portions of this transcript have been 
edited for clarity 

Introduction 



Moderator: Andy (Microsoft) 

Welcome to today's chat. Our topic is Windows Installer 3.0. Questions, 
comments, and suggestions are welcome. 

Moderator: Andy (Microsoft) 

I'll now have the hosts introduce themselves. 

Host: Ken Wong (Microsoft) 

Hi my name is Ken and I am a tester on the Windows Installer Team. 
Host: asharma (Microsoft) 

Hello! I'm Ashish, a tester on the Windows Installer team. 
Host: Hem (Microsoft) 

Hi, I am Hemchander. I am developer at the Windows Installer team. 
Host: Chris (Microsoft) 

Howdy! My name is Chris Gouge. I was a senior developer on the MSI team until 
just recently and am filling in for the lovely and talented Carolyn today. 

Host: Tyler (Microsoft) 

My name is Tyler Robinson. I am the Program Manager for the Windows Installer 
here at Microsoft. I look forward to talking with you today. 

Host: OmSharma (Microsoft) 

Hi - 1 am Om from the Windows Installer Program Management team 

Moderator: Andy (Microsoft) 

And I'm Andy Q, Communities producer 

Start of Chat 

Host: OmSharma (Microsoft) 

Q: stern67 : Can I get Windows Installer 3.0 without SP2 for Win XP? 
A: Windows Installer v3.0 has been released with XPSP2. The redistributable 
release for Win2k/SP3, Win2k/SP4, WinXP, WinXP/SPl and Windows Server2003 
is under development. 

Host: Tyler (Microsoft) 
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Additionally, the Windows Installer 3.0 SDK is available as part of the Windows XP 
Service Pack 2 SDK at 

http://www.microsoft.com/nnsdownload/Dlatfornnsdk/sdkupdate/ 
Host: Tyler (Microsoft) 

Q: when will the MSI 3 redistributable be released? 

A: We do not yet have a release date for the Windows Installer 3.0 redistributable. 
Host: Tyler (Microsoft) 

Q: any approximate release time frame? Is it a matter of days, weeks, months...? 
A: We are working hard on the redistributable, but we do not have a timeframe to 
communicate at this point. 

Host: Hem (Microsoft) 

Q: Are there any plans for a MSI authoring tool (other than Orca) from MS? 
something similar to Wise? 

A: Visual Studio helps you build MSI packages. WIX (Windows Installer XML) 
toolset is an open source toolset useful in authoring MSI packages. It is widely 
used within Microsoft. Here's where you will find information about it: 
http://sourceforge.net/pro1ects/wix . 

Host: asharma (Microsoft) 

Q: Is there a mechanism to disable the installer from interacting with COM calls? 
Even temporarily? 

A: No. But you can avoid this by using Registry table to register COM components. 
Moderator: Andy (Microsoft) 

For those new to the chat - Our topic is Windows Installer 3.0. We're about 
halfway in-keep those questions coming! 

Host: Chris (Microsoft) 

Q; Generally Windows installer applications will not allow a second installation of 
the same application. If you want to test a new release while keeping an old on 
you have to go to a different machine. Is this something that the user has any 
control over? 

A: It depends on what you mean by "new release" if this is a new release with a 
different ProductCode, then you should be able to install it alongside your existing 
release from the MSI point of view (how well the app itself handles this depends 
on your implementation of the product.) If this is a minor release that you are 
packaging as a new MSI file rather than as an MSP (MSPs are recommended for 
smaller updates) then you would not be able to install alongside the current 
software, you would need to upgrade the existing instance using the recache- 
reinstall flags as described in the documentation. This is what your customers 
would need to do as well, so it is a good thing to test. For clean installs in this 
case, you would need to go to another machine. 

Host: Hem (Microsoft) 

Q; The ExtractPatchXMLData function is new in the 3.0 version. How can I get the 
same information about a patch (Target version, Updated version,..) with Windows 
Installer 2.0 

A: MsiExtractPatchXMLData API is available only on Windows Installer 3.0. If you 
need this information then you need to install Windows Installer 3.0. However, this 
information is already inside the MSP's summary information stream. Y=ou can 
view most of this information using Orca 3.0 as well. 

Host: Chris (Microsoft) 
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Q: Will Orca 3.0 work on MSI 2.0? 

A: Yes, but some functionality will be disabled. 3.0 style patches may not be 
viewable in the "patch viewing" mode, etc. 

Host: KenWong (Microsoft) 

Q: Many Microsoft and other vendor applications leave around boat loads of 
registry keys, folders, files and short cuts. Does version 3.0 offer anything that 
helps make an uninstall look like the application was never there? 
A: Given that the install is Windows Insatller based, a component could be 
orphaned during uninstall if for example it is marked as permanent or shared 
between products. It really depends on the authoring of the package. 

Host: Hem (Microsoft) 

Q: Will the Intel x64 require different Template Summary Property than AMD64? 
Meaning if we want pure 64bit package, will will need a compleltety different 
package for Intel x64, AMD64 and Itanium 64? 

A: That is feature work for Windows Installer 3.1. Windows Installer 3.1 will be 
part of Server 2003 SPl release. 

Moderator: Andy (Microsoft) 

Thanks all for joining and thanks to our experts! 

Host: Tyler (Microsoft) 

I wanted to let everyone know of our upcoming Windows Installer chats. October's 
chat will be on October 12 at 11:00 AM and the topic will be "Using the Driver 
Install Frameworks with the Windows Installer" so if you are interested in 
installation of drivers using the Windows Installer, this chat is for you. November's 
chat will be on November 9 and the topic will be "Using WiX to author your 
Windows Installer packages" so if you have heard about WiX or are using WiX, this 
chat is for you. 

Host: Tyler (Microsoft) 

We look forward to seeing you all at future Windows Installer chats. 
For further information on ttiis topic piease visit tlie foliowing: 

Newsgroups: microsoft.public.platformsdk.msi 

Microsoft Windows Installer Transcripts: Read the archive of past MSI chats. 

Website: Visit the Management Technologies Community Center site. 

Website: Visit the Microsoft Windows Installer site . 
^ Top of Page 
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RE: services running in windows domain (winXP clients) 

From: Jim Masson (jmasson@exchange.mlcrosoft.com) 
Date: Wed Jan 05 2005 - 1 1 : 54:42 CST 

• Messages sorted by: [ date ] [ thread 1 [ subject ] [ author 1 



This is not really my area of expertise, but I did vaguely remember 
something like this from a past project, and was able to locate this 
article that might help explain what you are seeing. 

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy. 
mspx 

According to this article, there are some things that software 

restriction policies do not apply to, including processes that are 

started under the LOCAL SYSTEM account Many services and task scheduler 

jobs fall into this category. 



Scope of Software Restriction Policies 

Software restriction policies do not apply to the following: 

* Drivers or other kernel mode software. 

* Any program run by the SYSTEM account. 

* Macros inside of Microsoft Office 2000 or Office XP documents. 

* Programs written for the common language runtime. (These programs use 
the Code Access Security Policy.) 



Hope that helps. 
-Jim 

— Original Message — 

From: Frank Knobbe [mailto:frank@ knobbe.us] 

Sent: Tuesday, January 04, 2005 4:22 PM 

To: Nicolas RUFF (listes) 

Cc: focus-ms@securityfocus.com; Starks, Brad 

Subject: Re: services running in windows domain (winXP clients) 

On Fri, 2004-12-31 at 18:05 +0100, Nicolas RUFF (listes) wrote: 

> > The way I understand it, software restriction policies only work for 

> > applications that are called by the Windows explorer process. If 
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they 

> > are called by any other process, then the restriction policy does 
not 

> > work. 
>[...] 

> You can check by yourself that SRPs apply to all processes : 

> - Create a 'deny' rule on NOTEPAD.EXE 

> - Launch GPUPDATE to update your policy 

> - Try to launch NOTEPAD from inside CMD.EXE : it won't run 

> 

> Then I tried on the IIS system service (INETINFO.EXE) : the service 
DID 

> start despite the 'deny' rule ... Too bad. I think I will investigate 

> this further, but indeed SRP won't solve your particular problem. 

Launching apps from cmd.exe is comparable to launching it from IE or 
Explorer - in each case the programs is started by the user. 

System services, however, are not. These are started by the SYSTEM. 
Perhaps a service might honor the policy if it is started under a user 
account (other than SYSTEM), but my past experience has been that it 
ignores the policy. 

In short: Apps started from the GUI (Explorer, cmd.exe window, etc) will 
check the policy setting first. Apps started by the system as services, 
the scheduler, I believe, and other already started applications 
(spawning sub commands/scripts/batchfiles/etc) are not. I think the 
screen saver is also not checking the policy, if I remember right. 

Would make for an interesting project - to create a matrix of different 
launch methods and policy compliance results. 

Regards, 
Frank 
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An Application for Creating Interactive and Evolvable Web Sites 

Senior Project: 1996-1997 

Scott Berkebile, James Masson and Samuel Stoller 

University of Colorado at Boulder 

Center for Lifelong Learning and Design 
Boulder, CO 



Most sites on the World Wide Web today are made up of static HTML pages that 
are maintained by a "webmaster." This website model is well suited for 
broadcasting unchanging information across the web to users, but is not well 
suited for presenting information tailored to a specific user need, or for allowing 
users to directly modify and extend the information contained in the site. One 
research project within the Center for Lifelong Learning & Design (13D) attempts 
to transform the Web from a broadcast-oriented media into a collaborative media 
for constructing knowledge. This project aims to implement a new website model 
in which information content and hypertext links are stored as small pieces in a 
database, and then put together "on the fly" to create HTML pages. The goal is to 
support dynamic websites that are directly extensible by users without requiring 
HTML knowledge, deliver information tailored to the user's needs, and integrate 
many different types of content (such as email, newsgroups, and conventional 
web pages). 

This project was developed as a concrete example of such a system. The Elmo 
System is a set of LAN management applications which help LAN administrators 
to better monitor their local area networks. A simple web-oriented interface makes 
Elmo easily available to any user who has access to a web browser. The five core 
applications of the Elmo suite are Host Table (tracks information pertaining to 
particular hosts and devices on the LAN), Trouble Queue (allows users and LAN 
administrators to record and maintain threaded discussions about problems on the 
network), LAN Diary (tracks actions taken on specific networks and devices), 
Glossary (a dynamic dictionary for LAN-related terms), and Link Clipboard (allows 
users to view, edit, and delete their links). In addition to these five applications, the 
Elmo System provides annotation (a system-wide mechanism which allows users 
to annotate entries in the system) and linking capabilities (a general mechanism 
that allows users to associate links with entries in the system). The project was 
developed using Tango and Butler SQL for a Macintosh environment. 
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RE: Computer accounts in NTFS permissions 

From: Jim Masson IJmasson@exchange.microsoft.com) 
Date: Fri Feb 25 2005 - 10:49:33 GST 
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I'm not an expert here, but I do happen to recall the story on this 
particular question. 

The basic rule is that when accessing local resources, LocalSystem and 
NetworkService use their well known SIDs (8-1-5-18 and S-1-5-20), just 
as you would expect. When going out over the network, processes running 
under those accounts use the computer's SID. 

So, if you want a service running as Local System or Network Service on 
machine B to access a file share on machine A, you need to ensure that 
machine B's SID is granted access (or a group that machine B is in) to 
both the share (using the share ACL) and the underlying files using the 
NTFS ACLs. By default, all computer accounts in a domain are members of 
the "Authenticated Users'* and "Domain Computers" security groups. 

Security filtering in Group Policy for computer policies works using 
this mechanism - the policy processing code on the client (running as 
LocalSystem) goes and talks to the domain controller, and policies that 
the computer account is unable to see are automatically skipped. 

You can read more in this article Qust look for the LocalSystem and 
Network Service well known SIDs) 

http://www.microsoft.com/resources/documentationA/\/indowsServ/2003/all/te 
chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al 
I/tech ref/en-us/w2k3tr_sids_how.asp 

Cheers, 

-Jim 

— Original Message — 

From: Miroslaw Slawek Chorazy [mailto:mchorazy@depaul.edu] 

Sent: Wednesday, February 23, 2005 2:24 PM 

To: dschmidt@buddyrents.com; bkmlstsgohere@comcast.net 

Cc: focus-ms@securityfocus.com 

Subject: Re: Computer accounts in NTFS permissions 

Marshall 
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>The computer account -- not System or some other account on the 
computer 

>isn't ever going to be accessing files (at least not in any examples I 
can 

>thinkof). 

In an AD environment, the computer account will indeed be used during 
the startup process and will need appropriate permissions and rights 
associated with it to read AD Objects like GPOs and scripts. 
In some environments, the AD DNS dynamic name registration is also 
performed using the SID associated with the Computer. 

slawek 

»> "Bruce K. Marshall" <bkmlstsgohere@comcast.net> 2/23/2005 14:23 

»> 

Daniel, 

The computer account - not System or some other account on the 
computer - 

isn't ever going to be accessing files (at least not in any examples I 
can 

think of). And permissions won't be enforced just because a user or 
service 

account happens to be operating from that computer. So, setting using 
a 

computer security principal in NTFS ACLs won't have any effect. 

If a service on the computer is trying to access the file then you 
should be 

able to set up NTFS ACLs using the appropriate account (System, Local 
Service, Network Service, etc.). 

Bruce K. Marshall - bmarshall@securityps.com 
Security PS - Kansas City 

— Original Message — 

From: "Daniel Schmidt" <dschmidt@buddyrents.com> 

To: <focus-ms@securityfocus.com> 

Sent: Wednesday, February 23, 2005 9:32 AM 
Subject: Computer accounts in NTFS permissions 

> it is my understanding that computer accounts can be used as 
security 

> principals, but using them in a NTFS ACL seems to have no effect. 
Does 

> computer account authentication only authorize accesses from the 
SYSTEM 

> account? Can anyone point me toward some useful reading on the 
subject? 

> 

> Daniel Schmidt 
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Windows Installer and Group Policy 

Posted October 21, 2002 

Chat Date: October 1, 2002 
Chat Participants: 

• Ken Maybee, Tester 

• Chris Gouge, Software Design Engineer 

• Jim Masson, Program Manager 

• Carolyn Napier, Software Design Engineer 

• Adam Edwards, Development Lead 

Windows Installer and Group Policy 
Host MS_Eric_S 

Welcome to today's Chat. Our topic is Windows Installer and Group Policy. Questions, comments, and suggestions 
are welcome. 

Host MS_Eric_S 

The Input Room (below) is where you can enter questions for our Hosts today. We will read them and select 
questions to answer. 

Host MS_Erlc_S 

The questions and answers will be posted in this room, the Reading Room. 
Host MS_Eric_S 

Please feel free to begin posting your questions in the room below. Please begin your questions with a Q: this will 
help us quickly identify the questions. 

Host MS_Eric_S 

We will make an effort to answer as many questions as we can. There may be times when a question may be 
asked that we do not have an immediate answer for or cannot get to. We encourage you to post any of these 
questions in the microsoft. public. platformsdk.msi newsgroup. 

Host MS_Eric_S 

Let's introduce our Hosts for today. 
Host Guest_Ken_MS 

Hi I am Ken Maybee. I am a tester in the Group Policy test team. 
Host Guest_Chris_MS 

Greetings! I'm Chris, a developer on the Windows Installer Team. I've been working on MSI for about four years, 
with my areas of focus uncluding custom actions, security, validation, source resolution, and overall architecture. 

Host Guest_Jim_MS 

Hi, my name is Jim Masson, and I'm a program manager here who has worked on IntelliMirror Software 
Installation, Group Policy, and MSI over the last few years. 

Host Guest_Carolyn_MS 

Hello, I'm Carolyn Napier. I have been a developer on the Windows Installer team for a little over three years, 
specializing in patching and upgrades, digital signatures, and overall architecture. 

Host MS_Eric_S 

Welcome everyone, let's get started! 
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Host Guest_Adam_MS 

Hello -- I'm Adam, a developer for Group Policy and it's software installation component. 
Host Guest_Jim_MS 

Q: Will Windows .NET come out with a "Forced Assigned" option (in addition to Assigned and Published) 
Host Guest_Jim_MS 

A: Yes, With Windows .NET server, you can set a user assigned application to fully install on logon. This will work 
with Windows XP and later clients. 

Host Guest_Adam_MS 

Q: Will there be a programatic interface to group policy to enable us to script the addition of MSI/MST to a policy 
Host Guest_Adam_MS 

A: This is definitely something we're considering for all group policy settings, not just software. We're thinking 
about these issues for a future release. 

Host Guest_Jim_MS 

Q: Why was the decision made at MS such that I cannot "PUBLISH to Computers" ? 
Host Guest_Jim_MS 

A: The idea was that we didn't want a regular (non-admin) user to have the ability to affect all users on the 
machine by installing a machine published application. Turns out that there is interest in this feature, but it didn't 
make it for .NET server L. 

Host Guest_Adam__MS 

Q: Does the "Deployment Count" designation (in the Advanced Deployment Options) actually work in .NET now? 
Host Guest_Adam_MS 

A: Not sure what you feel currently is not working. From an end user standpoint, the number displayed in the 
user interface will let you know how many times the "Redeploy" action has occurred that application. 

Host Guest_Jim_MS 

Q: Will MS provide documentation about the attributes of a "packageRegistration" object, so that one can create 
software packages in a GPO programmatically? 

Host Guest_Jim_MS 

A: Yes, we will provide this documentation on MSDN with Windows .NET server. 
Host Guest_Carolyn_MS 

Q: What new Windows Installer POLICIES are available inside Win .NET server? 
Host Guest_Caroiyn_MS 

A; There aren't any new specific policies that were added in .NET server for the Windows Installer. MSI 2.0 (which 
released with Windows XP) added the new DisableUserlnstalls and LimitSystemRestoreCheckpointing policies. 

Host Guest_Carolyn_MS 

A: Only DisableUserlnstalls is applicable to .NET Server as system restore is not included in .NET server. There 
were some policy default value changes in .NET Server (eg. DisableMsi and TransformsSecure). 

Host Guest_Adam_MS 

Q: If I delete the GPO, and hence, "strand" the application, is there any way to "unstrand" the application? 
Host Guest_Adam_MS 

A: Unfortunately, no. If the application was configured to remain on clients after the gpo went out of scope, it will 
do so until manually uninstalled on the client. If you restore the GPO with a tool such as GPMC, you may be able 
to rectify the situation administratively. 
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Host Guest_Chris_MS 

Q: Is Winlnstall LE still included with Win .NET Server? Or something else? 
Host Guest_Chris_MS 

A: Winlnstall LE is not a part of .NET Server. 
Host Guest_Ken_MS 

Q: can someone define GPO (I currently use InstallShield) 

Host Guest_Ken_MS 

A: A GPO is a Group Policy Object. 

Host Guest_Jim_MS 

Q: Does Win .NET help with "protecting" installs., ie: You assign to John, but Sally can run John's assigned 
programs (after installed) 

Host Guest_Jim_MS 

A: Yes and No. Assuming that the app requires COM registration, or it explicitly interacts with the installer using 
our API, it will generally not work for another user other than one it's assigned to. Unfortunately, we don't really 
have anything that provides an easy hard block, short of locking down the app binaries using an ACL. 

Host Guest_Adam_MS 

Q: Will .NET help with figuring out how many licenses are being used (with Deployment Count) or otherwise? 
Host Guest_Adam_MS 

A: There are currently no features for integrating Group Policy with licensing in Windows .Net Server - this has 
certainly been requested by customers. The deployment count only tells you how many times the administrator 
chose to "redeploy" the application, it doesn't tell you how many clients the software has actually been installed 
on. 

Host Guest_Chris_MS 

Q: Are there any plans for Microsoft to start using Windows Installer for all it's own products ? E.g. MSN 
Messenger, IE, Exchange, etc 

Host Guest_Chris_MS 

A: Windows Installer tries to ensure that we provide the functionality our customers need to create their setups. 
Its at the discretion of application teams, internal or external to MS, to evaluate MSI and decide whether it meets 
their needs. 

Host Guest_Chris_MS 

A: It helps if customers request the various applications from the various vendors as MSIs. 
Host Guest_Adam_MS 

Q: Can one change the lifetime of an ".aas" file (from 1 year) after a software package object has been removed? 
Host Guest_Adam_MS 

A: It is best to let the group policy snapin manage the lifetime of this state. Unfortunately, this is currently not 
configurable in gpedit, and in general, editing gpo's outside of gpedit is not advisable. 

Host Guest_Jim_MS 

Q: Adam cd seems to be asking the same question that I have asked. Can you provide more detail on the plans 
for a programatic interface 

Host Guest_Jim_MS 

A: There are a few ways we are providing programmatic access to policy. 
Host Guest_Jlm_MS 

A: The first is that we are shipping a tool with Windows .NET server called the Group Policy Management Console, 
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that (among many other things) provides programmatic and scripted access to many GP functions. 
Host Guest_Jim_MS 

A: Unfortunately, GPMC doesn't have nice interfaces for scripting the contents of a GPO (i.e. the settings). For 
that, we will have some documentation of the data that we sue and store in the AD, but we don't have nice APIs 
on top of it. 

Host MS_Eric_S 

Hello. For those just joining the chat - Our topic is Windows Installer and Group Policy. Questions, comments and 
suggestions are welcome. 

Host Guest_Adam_MS 

Q: Adam cd seems to be asking the same question that I have asked. Can you provide more detail on the plans 
for a programatic interface 

Host Guest_Adam_MS 

A; I'd like to provide more details, but at this stage we're not in the position to comment on pre-release products. 
I can tell you that yours is a very common request and one of the biggest shortcomings for alt of group policy. 

Host Guest_Adam_MS 

A: Your question on this is helpful data for us in making our plans for the future. 
Host Guest_Adam_MS 

A: In the meantime, GPMC should provide some ability to do this using it's import of an entire gpo capability (you 
could import a "template" of applications programmatically). 

Host Guest_Chris_MS 

Q: So to whom at Microsoft do we request that you distribute your applications as MSI packages? 
Host Guest_Chris_MS 

A: Ideally, you should provide feedback to the application team directly via their feedback mechanism. If you're 
unsure of how to contact the product's team, you can send your request to 
http://www.microsoft.com/mswish 

Host Guest_Carolyn_MS 

Q: does the uninstallatlon of an app require that the PC has access to the original source, rather than using the 
cached MSI for uninstall instructions? 

Host Guest_Carolyn_MS 

A: In general, an application should not require access to the original source on uninstallatlon. The Windows 
Installer does not normally require access to the original source during uninstalls. 

Host Guest_Carolyn_MS 

A: However, applications may be authored such that they require access to the original source (this is outside of 
the control of the Installer). If an application setup includes the ResolveSource action which isn't conditionalized 
appropriately or uses a run from source custom action type, then the original source may be required. 
Additionally, if the cached package is missing, then MSI will need to access to the source in order to perform the 
uninstall. 

Host Guest_Carolyn_MS 

A: In the end, setup authors should strive to author their setup packages so that unnecessary source accesses 
are eliminated. 

Host Guest_Jim_MS 

Q: Jim_MS - docs on the data used for policies, without nice APIs. But some API, nice or not ? covering pgm-atic 
mgmt of policy ? When ? 

Host Guest_Jim_MS 
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A: Unfortunately, we don't have anything reasonable for the settings within a GPO in the .NET server timefranne. 
We have received a bunch of feedback on this, and we know it's needed, but I don't have a timeframe I can 
promise. 

Host Guest_Jim_MS 

A: In the mean time, using GPMC with templates is about the best I can recommend. More on GPMC can be found 
at: <http://www.microsoft.com/windows.netserver/gpmc/default.mspx> 

Host Guest_Adam_MS 

Q: Are there API's to distinguish whether a software package came via a GPO or installed manually on a client? 
Host Guest_Adam_MS 

A: Using Group Policy's RSoP (Resultant Set of Policy), the set of applications installed on a client from a gpo can 
be enumerated. 

Host Guest_Chns_MS 

Q: Will WI support/use DCOM in future, to allow remote installation and configuration of MSI packages? 
Host Guest_Chris_MS 

A: Windows Installer is a software installation technology. While MSI Integrates closely with a variety of targeting 
and software distribution systems, this is not functionality that it provides natively. 

Host Guest_Chris_MS 

A: You will need to initiate the install on the clients using the technology of your choice. 
Host Guest„Jim_MS 

Q: sorry I am confused now - are you saying you will not provide documentation to enable us to programaticaily 
edit GPO's for software distribution ? This would be a huge limitation, we can code around that lack of an API ... 

Host Guest_Jtm_MS 

A: To clarify - we will provide docs on the structure of the data in AS and on SysVol, but we are not providing an 
API to manage it directly in the .NET server timeframe. 

Host Guest_Adam_MS 

Q: Are there any plans to change the nature of how GP uses ".aas" files to advertise software? 
Host Guest„Adam_MS 

A: There are known limitations with the deployment time vs. application time state of GP deployed applications. 
This is something we'd want to address in the future, whether through the use of .aas files or some other 
mechanism. 

Host Guest_Chris_MS 

Q: Are there API's to distinguish whether a software package came via a GPO or installed manually on a client? 
Host Guest_Chris_MS 

A: Followup Answer from a slightly different perspective, MSI itself provides a MsiIsProductElevated() API which 
can be used on the client to determine whether a product Is admln-managed or not, but it does not necessarily 
indicate that the install currenly falls within the control of any particular distribution technology. 

Host Guest„Carolyn_MS 

Q: When will an action with sequence number "-4" get run? 
Host Guest_Carolyn_MS 

A: Negative sequence numbers are reserved for exit actions. -1 is the Exit Dialog. -2 is the UserExit Dialog. -3 is 
the FatalError dialog. -4 is executed when the installation is suspended. 

Host Guest_Adam_MS 
Q: What is an .aas file? 
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Host Guest_Adam_MS 

A: These are just files that contain lightweight information about an application (e.g. shortcuts, source paths) 
used by group policy to bootstrap an application onto a client machine. This is an implementation detail that could 
change in future windows releases, so it is best not to rely on its structure or existence. 

Host Guest_Jim_MS 

Q: Why does MS not provide more documentation on creating admin templates to aide administration, eg, 
provide reg locations on how to tweak settings that admins need. 

Host Guest_Jim_MS 

A; In general, just manipulating arbitrary registry keys doesn't get you the best experience with policy, as 
settings that are not designed to be policies will generally overwrite user preferences, and tattoo themselves on 
the machine, even when the policy no-longer applies. 

Host Guest_Jim_MS 

A: As a result, we focus most of our efforts on getting OS components and apps to support proper policy settings, 
and with Windows .NET server we have close to 1000 such settings. 

Host Guest_Jlm_MS 

Is there a particular setting you want to manage that we don't specify? That would be useful feedback. 
Host Guest_Adam_MS 

Q: One limitation of MSI & GP is the inability to specifiy a specific log file location for an assigned/published 
application. Any plans to alter this behavior? 

Host Guest_Adam_MS 

A: Group Policy does not currently have this capability in any Windows release, so we can certainly take this 
suggestion for per-application diagnostic capabilities as a suggestion for the future. Currently, it is possible to 
globally enable the creation of log files through group policy, but this does not allow specification of the log file 
locations. 

Host Guest_Carolyn_MS 

Q: I am interested in finding more about the direction Windows Installer is heading. For example, will the MSI 
schema be expanded upon to enable handling driver installation eliminating the need for .INF files? 

Host Guest_Carolyn_MS 

A: Support for installation of drivers is definitely one feature that Windows Installer Is considering in the future. 
Host Guest_Carolyn_MS 

A: If you would like to make your feature request known, I'd suggest using 
http://www.microsoft.com/mswish. 

Host Guest_Chns_MS 

Q: Will the next version of WI, change the feature, that an installation in the root of a drive automatically installs 
on the one with most space, and insted try c:? 

Host Guest_Chris_MS 

A: This is unlikely to change. For one thing. In some locations, drive C: is not a hard-disk drive. If you would like 
to specify a specific target location, you can do this by setting the TARGETDIR property or any property from the 
directory table. 

Host Guest_Jim_MS 

Q: A bluesky future question, are there any plans to migrate sysvol GPO files to an XML format ? 
Host Guest_Jim_MS 

A: We are considering a number of different options for the future storage of policy on the server. Unfortunately, 
there isn't anything that we can speak about publically yet on that front. 
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Host Guest_Jim_MS 

Q: Jinn_MS. To name a few, System Restore settings (time to keep and how often), IRP Stack size, Disabling Dyn. 
DNS, removing RAS checkbox from Gina, Event viewer settings, crash control settings, additional IE lockdowns, 
etc. 

Host GuestJim_MS 

A: Thanks, I'll pass those along to the relevant folks. 
Host Guest_Adam_MS 

Q: Are there plans to have WMI filters per software package in a GPO? I want to create a GPO with multiple 
packages with different WMI Filters for each package (based on h/w parameters). How can I get around this? 

Host Guest_Adam_MS 

A: For the future, we are looking at advanced ways to target individual settings such as deployed applications. 
With our current infrastructure, you'd need to create multiple gpo's that divided your applications into different 
classes based on the hardware needs that you can express in the gpo's wmi filter. 

Host Guest_Carolyn_MS 

Q: Regarding an action with a "-4" sequence number. I'm guess I'm not clear on defining a "suspended" 
installation. EG, If one does not select any push buttons on an error dialog, is this a "suspended" installation? 

Host Guest_Carolyn_MS 

A: A "suspended" install would be an installation that was interrupted before it could be completed. For example, 
this might be a power loss during an installation. 

Host Guest_Carolyn_MS 

A: Additionally, you could have a "suspended" install if your response to a ForceReboot reboot is to choose to 
reboot later. 

Host Guest_Chris_MS 

Q: will there in the future be a policy, that turns on elevatedprivlledges during installation, and removes it when 
the installation has ended, so that a user does not have to be admin when installing it? Else, does Microsoft 
provide directions? 

Host Guest_Chris_MS 

A: MSI will never allow applications to tell the system "elevate me" without some form of administrator approval 
and control system. This would be a huge security hole. Currently administrators can provide this 
approval\control system by advertising the software ahead of time or by using some software distribution 
technology to pre-approve the software. The other way administrators can allow limited users to install software 
is to set the AlwaysInstallEIevated policy, which tells MSI to alway install with elevated privileges. This policy 
essentially turns of security on the machine and should never be used in any form of secure environment. More 
information can be found in the MSI documentation. 

Host Guest_Jim_MS 

Q: will the next generation of .NET server GPO distributions take use of the BITS service? 
Host Guest_Jim_MS 

A: It's not something we use today, but BITS is something we are looking at, but any such improvement would 
be after .NET server. 

Host Guest_Ken__MS 

Q: Imported settings (ex. IE Sites) seem ftakey when pushed via GP - any tips/tricks? 
Host Guest_Ken_MS 

A: Could you provide a example of the flakey items? 
Host Guest_Jim_MS 
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Q: Any plans to incorporate deployment via Group Policy a requirement in Windows 2000/XP logo compliance? A 
Challenge of administrators is to "appropriately" configure the feature states to ensure that an MSI will 
advertise/install via GP properly. 

Host Guest_jim_MS 

A: Good suguestion, I'll pass that along to the proper folks. 
Host Guest_Carolyn_MS 

Q: Continued question about targetdir. Would it be wrong to suggest some kind of intelligence in WI, so that it 
would look at the drive where windows is instaled, or programfiles. 

Host Guest_Carolyn_MS 

It is more likely that this would be a better drive to install insted? 
Host Guest_Carolyn_MS 

A: You can use the predefined directory table properties like ProgramFilesFolder to author your installation 
package so that the resolution of TARGETDIR resolves to the Program Files folder location. 

Host Guest_Carolyn_MS 

A: MSI has lots of logic to allow you to create a Directory table that will resolve to the location you prefer. 
Host Guest_Chris_MS 

Q: Will WI, in future, support error handling (or return code handling) in Custom Actions? We install MS hotfixes 
using MSI (to elevate privilages), but some hotfixes return "reboot" return code, which MSI thinks is failure. 

Host Guest_Chris_MS 

A: Various types of custom actions have different levels of functionality as far as handling return codes and 
interacting with the MSI installation. Currently, executables have a success\fail return-code interpretation, which 
is the most limited type of interpretation. We will investigate your suggestion for the next version, but it is too 
early in the planning process to say for certain what the future holds for executable custom actions. 

Host Guest_Adam_MS 

Q: Some of our sites get the imported settings others do not - RSOP shows that GP made it to the workstations 
Host Guest_Adam_MS 

A: It sounds like you're saying that rsop shows the gpo settings has having applied, but they do not seem to have 
actually applied. Such a case could only be a bug - I would double-check the group policy newsgroup to try to 
get detailed assistance, and if It still seems like a bug, a support call is probably the next place to go. 

Host Guest_Carolyn_MS 

Q: What is the best way to detect installation of other software within an MSI pacakage? For eg., if IIS is 
installed, then created Virtual Directory via this script. 

Host Guest_Carolyn_MS 

A: One option is to make use of AppSearch action and the Signature, RegLocator, DrLocator, IniLocator, and 
CompLocator tables. 

Host Guest_Carolyn_MS 

A: If AppSearch finds the matching signature, then it will set the property you specified in the AppSearch table for 
the Signature. 

Host Guest_Carolyn_MS 

A: You can then conditionalize your action and/or component on the property. The other option is to use a custom 
action to perform the detection if AppSearch can't get you want you want. 

Host Guest_Chris_MS 

Q: Does WI support (or easily support) installation completion after reboot? Or do we need to build an external 
program that runs or runsonce at login? 
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Host Guest_Chris_MS 

A: Yes, MSI has support for installations that need to reboot in the middle of the install. MSI will attempt to 
restart the installation, however the exact behavior varies based on whether the same user or a different user 
logs on after the reboot. The MSI can check the AFTERREBOOT property to determine if the install is post-reboot. 
More information can be found in the documentation. 

Host Guest_Jim_MS 

Q: The tool being used for installing MS SDK's is very cool 

(hnp://wv^nw.microsoft.com/msclownload/platformsdk/sdkupdate/) is this a feature in windows installer. 
If not does microsoft ever plan to market this installer? 

Host Guest_Jim_MS 

A: That is actually an ActiveX control, that then manages the installation and updating of multiple, smaller MSI 
packages. It's currently pretty specific to the SDK, and I'm not aware of any plans to publish it or market it. 

Host Guest_Carolyn_MS 

Q; Regarding AppSearch, it would be good to have a generic "IsProductlnstalled (GUID)" function... 
Host Guest_Carolyn_MS 

A: You can partially accomplish this with the CompLocator table which will allow you to search for a particular 
component ID. 

Host Guest_Caroiyn_MS 

A: If the component was unique for the product, then you could detect your product that way. Also for first-time 
installations, the FindRelatedProducts action can be used together with the Upgrade table to detect products. 

Host Guest_Carolyn_MS 

A: You can use the msidbUpgradeAttributesOnlyDetect attribute to just perform detection. You don't have to use 
the Upgrade table solely for removal of pre-existing MSI products. 

Host Guest_Adam_MS 

Q: How does a GP define the source of an MSI when used to advertise (assign or publish) an application? 
Host Guest_Adam_MS 

A: Group Policy uses the file system path that the user points to in the gpedit ui when deploying the application. 
Host Guest_Carolyn_MS 

Q: re: ALLUSERS + Per User data files + Uninstall. If you install a package Per-Machine, and that package has Per 
User data, generally the application or the W.I. shortcut will create initial data for each user as required. 

Host Guest_Carolyn_MS 

A: yes, this is the way Windows Installer works and it is a complicated issue because in some cases this is desired 
behavior. For example, user configuration settings may need to remain after an Install. 

Host Guest_Carolyn_MS 

A: Additionally in roaming user scenarios, unlnstallation of the product by one user should not affect the other 
user and remove its settings. 

Host Guest_Carolyn_MS 

A: Additionally we do provide validators that help detect cases where the package author is mixing per-user and 
per-machine data. This can often help minimize the impact of this. 

Host Guest_Jim_MS 

Q: Are there any known issues re: GP and 64-bit installer on (Win2KAS 64bit, Xp 64, .NET Svr 64)? Links, 
keywords would be helpful. 

Host Guest_Jim_MS 

A: There is explicit support in both WI, and in the GP Software Installation feature for handling 64 bit packages 



http://msdn.microsoft.comychats/transcripts/windows/windows_100102b.aspx 



6/7/2006 



MSDN Online Chats is a forum to engage in discussions about Microsoft products or te... Page 10 of 10 



(and 32 bit packages on 64 bit platforms) in .NET server. In particular, you can allow or prevent 32 bit packages 
form being visible to your 64 bit systems. 

Host Guest_Jim_MS 

A: The .NET server version of the software isntallation whitepaper will cover this 
Host Guest_Adam_MS 

Q: re: MSI source: does the GP use UNC or can it use drive letters? For a single domain environment with 
multiple sites and software distribution servers, you can see that drive letters are important. 

Host Guest_Adam_MS 

A: Group Policy will honor a drive letter (i.e. you can browse to y:\apps in the gpedit ul and the path will start 
with y:), but bear in mind that driver letters may be mapped differently for different users, and Windows Installer 
may have issues accessing the drive letter. This is why gpedit gives a warning In this case I would advise 
against it Instead, I would recommend using unc paths with dfs, will do the right thing in terms of sites and 
locality. 

Host Guest_Adam_MS 

Q: Does the GP Software Installation show the "bitness" of the package or should the name of the product reflect 
that? 

Host Guest_Adam_MS 

A: Yes, it does. It is shown in the property pages, and also can be shown in the result pane if you choose "add / 
remove columns" in gpedit and add the architecture column. 

Host MS_Eric_S 

Thanks for joining us today and thanks for the questions. It's time for us to go now. You'll be able to find the 
transcript of this chat soon on the MSDN Web site at http://msdn.microsoft.com/chats/recent.asp. Please 
see the chats schedule at http://msdn.microsoft.com/chats for upcoming topics. 

Host MS_Eric_S 

We also encourage you to join us in the MSI newsgroup at 
news://msnews.microsoft.com/microsoft.pubilc.platformsdk.msl. 

Host MS_Eric_S 

Note that we have another MSI chat coming up on Nov 6th, on Custom Actions. See 

http://msdn.microsoft.com/chats for more info and for links for reminders for that chat. Hope to see you 
there! 
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